Vulnerability Analysis of a Commercial .NET Smart Card

  • Behrang Fouladi
  • Konstantinos Markantonakis
  • Keith Mayes
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8419)

Abstract

In this paper we discuss the operating system security measures of a commercial .NET smart card for mitigating risks of malicious smart card applications. We also investigate how these security measures relate to the card resident binary by analysing its proprietary file format to develop a new vulnerability research tool for .NET card applications. This tool enables us to modify compiled card applications for creating vulnerability research test cases. We then present the details of the vulnerabilities in the target .NET virtual machine (VM) which have been discovered using this tool. The vulnerabilities relate to potential misuse of administrator privileges, therefore, we conclude with recommending countermeasures to be implemented in the card manager application and .NET VM to fix those vulnerabilities.

Keywords

.NET smart card Embedded .NET Smart card firewall VM vulnerabilities File format 

References

  1. 1.
    Multos International. Multos Technology. http://www.multos.com/technology/
  2. 2.
  3. 3.
  4. 4.
    Witteman, M.: Java card security. Inf. Secur. Bull. 8, 291–298 (2003)Google Scholar
  5. 5.
    TippingPoint. Zero Day Initiative, Oracle Java IIOP Deserialization Type Confusion Remote Code Execution Vulnerability, October 2011. http://www.zerodayinitiative.com/advisories/ZDI-11-306/
  6. 6.
    Hogenboom, J., Mostowski, W.: Full Memory Read Attack on a Java Card. Department of Computing Science, Radboud University, Nijmegen (2009)Google Scholar
  7. 7.
    Iguchi-Cartigny, J., Lanet, J.L.: Developing trojan applets in a smart card. J. Comput. Virol. 6(4), 343–351 (2010)CrossRefGoogle Scholar
  8. 8.
  9. 9.
    Microsoft. Object Serialization in the .NET Framework. http://msdn.microsoft.com/en-us/library/ms973893.aspx

Copyright information

© Springer International Publishing Switzerland 2014

Authors and Affiliations

  • Behrang Fouladi
    • 1
  • Konstantinos Markantonakis
    • 2
  • Keith Mayes
    • 2
  1. 1.Microsoft Security Response CenterLondonUK
  2. 2.Smart Card Centre Royal HollowayUniversity of LondonEgham, SurreyUK

Personalised recommendations